Security and Compliance

AWS at Emory has been designed to help protect your data. As outlined in more detail in the Technical Architecture section as well as the AWS at Emory whitepaper, the service has standard VPCs, IAM and security control policies, risk detectors and remediations, and a process to review each AWS service before allowing it to be accessed.

This page aims to help you understand what types of compliance types can be used in AWS at Emory as well as provide more information to you about the security controls and the terms of use.

Compliance Types Supported

These controls, outlined above, enable the use of AWS at Emory for storing, processing, and accessing electronic protected health information (ePHI) as well as individual identified health information (IIHI) once the appropriate compliance approvals are in place. And, of course, only for appropriate Emory-owned data and Emory business.

If you are not using sensitive data, these controls will also help protect your data from unauthorized access and attempt to help minimize unintended configuration changes that might expose your data. You should always, though, work to ensure your data is protected to the appropriate level. Although AWS at Emory has a number of controls in place, you should ensure you and your teams are configuring your infrastructure and services using best practices for information security. Please do not rely solely on these security controls, but rather, employ your own controls and best practices.

For workloads that require compliance with PCI (credit card), Federal Information Security Management Act (FISMA), or the European Union’s General Data Protection Regulation (GDPR), AWS at Emory should not be used. Also, data that is owned by any other organization, such as the Atlanta VA Medical Center, Children’s Healthcare of Atlanta, or Grady Healthcare System, should not be stored, managed, or accessed through the AWS at Emory unless a specific data use agreement or other appropriate approval has been granted.

Once you have the appropriate approval(s), you can execute the ePHI or IIHI workloads in an AWS at Emory HIPAA account with the designated HIPAA-compliant AWS services. When used within the AWS at Emory HIPAA account, these services comply with Emory’s HIPAA policy. The current list of these services can be found in the AWS at Emory Landing Page. These services must be used within the AWS at Emory HIPAA Account, not the AWS at Emory Standard account (designated at account creation) or a non-AWS at Emory account.

Security Controls

For a list of the current AWS services allowed by AWS at Emory, please visit the AWS at Emory landing page. If you do not see a service you would like to use, please do not hesitate to contact us at aws.help@emory.edu for more information.

For those AWS services released to AWS at Emory, you can find a list of security controls in place by visiting the technical documentation page. Please note, you will need an Emory login.

Due to the controls in place, there is the possibility that some install wizards may not work or services may not work as expected. In these situations, we may need to dig into the issue a bit deeper and determine what options might be available. Contact us at the aws.help@emory.edu.

Terms of Use

In order to ensure the environment works appropriately, it is important to understand what AWS at Emory provides, and what is expected of you. Please review the AWS at Emory Rules of Behavior to ensure you understand expectations when using the service.